Jason Hoffman started his career as an internal auditor, but after 7 years he was ready to leave the job he was "really good at" and try something different. The transition to security more than 18 years ago "was probably the best decision I made in my career," says Hoffman, who is now CSO at marketing automation software vendor Marketo. "I don’t think anyone in 1998 could have predicted how important security would be today."

"Company executives and their boards are more acutely aware that security is not just an IT problem but it’s a business problem," says Hoffman. "As a result, security is getting more emphasis across all companies regardless of sector."

The smart companies, those that will succeed in the long-term, will invest in security and do the right thing— Jason Hoffman

The importance of security to the business is borne out in research. IT executives surveyed by CSO Online's sister site CIO.com for its 2016 State of the CIO report said that "improving cybersecurity ranks third on the list of goals their CEOs have set for them personally (29%), behind completing a major enterprise project (40%) and reaching a specific revenue goal (32%)." At the same time, those IT executives reported that "security is among the top technology initiatives driving IT investment (29%), nearly equal with cloud computing (30%) and big data/business analytics (27%)."

"The smart companies, those that will succeed in the long-term, will invest in security and do the right thing," says Hoffman. And investing in security translates to investment in people. According to Computerworld's 2016 IT Salary Survey*, information security manager is the hottest job in IT (see figure 1 below), boasting the biggest increase in average total compensation (up 6.4% from 2015 to 2016). Information security specialist also made the hot jobs list with an average increase in total compensation of 4.7%, tying software developer for the #5 spot.

Source: Computerworld 2016 IT Salary Survey

Figure 1: IT jobs with the greatest increase in compensation, 2015 to 2016

Information security manager

+6.4%

Systems analyst

+6.2%

Systems administrator

+5.3%

Network administrator

+4.8%

Software developer

+4.7%

Information security specialist

+4.7%

Network engineer

+4.6%

Chief information officer

+4.6%

Software engineer

+4.5%

Application developer

+4.4%

As well, just over half (51.3%) of security executives and managers surveyed by Computerworld said they expected IT staff headcount to increase in the coming year. For his part, Hoffman says that Marketo is currently recruiting for a Director of Information Security and he expects to "expand the security team this year focusing on technical roles such as security architects, security engineers and security analysts." This trend also holds at identity management provider Ping Identity, where CISO Robb Reck says they plan "to grow the security department significantly this year, with hires in application security, devops/infrastructure security, and security governance and compliance."

All of this paints a pretty rosy picture for those who have chosen a career in security, a move that Hoffman says he would "absolutely" recommend.

Satisfaction high; salaries rising

A remarkable 89.9% of security pros surveyed by Computerworld said they were either very satisfied or satisfied with the decision to pursue a career in IT. Nearly the same number said that they felt their current position is either very secure or secure. "Security is not going away," says Hoffman. "With the proliferation and monetization of big data, companies need security professionals to help them protect the data."

73.2% of security pros surveyed said that they think that a career path in IT and the potential for salary advancement is more promising than most other career paths. Reck points out that "security is only getting more important," and Hoffman adds that "security professionals command a premium in salary compared to most IT roles."

At the same time, and not surprisingly, security salaries are on the rise and the good times are expected to keep on rolling.

76.1% of security pros surveyed said that their base salary increased since one year ago. Among those who reported salary increases in the last year, security pros were more likely than other IT professionals to site internal promotion (14.3% vs. 10.5%), additional/new responsibilities (15.2% vs 7.8%), or new job with promotion at a different organization (10.5% vs. 3.6%) as reasons for the increase. 34.1% of security pros (compared to 25.3% of all IT pros) said that they expected to be at a higher-level position within a different organization five years from now, while 28.3% expected to be promoted to a higher-level position within the same company.

So what's wrong, exactly?

To paraphrase the theme song from the inexplicably long-running TV show The Facts of Life, you take the good, you take the bad, you take them both and there you have … market dynamics.

Yes, the job market for security professionals is hot, which is good for salaries and mobility, but it comes on the back of a severe talent shortage: 23.2% of security pros (12.3% of all IT pros) said that they think the IT talent shortage is the biggest challenge facing the IT industry.

Steve Traynor/CSO

"With an unemployment level hovering around 0%, hiring experienced security professionals generally means poaching talent from the company down the street," says Reck. "All that does is move the talent gap down the road, only exacerbating the issue of a talent shortage. The better we do at finding and training up new security professionals, the more we are helping the world in general."

"The impacts to this are everywhere," Reck adds. "If a company cannot hire to its staffing plan it means either missing critical roadmap items or forcing current staff to perform heroic efforts to get it all done. Neither case is acceptable, and either can lead to disaster in the mid-term."

Security professionals are more likely than other IT professionals (64.5% compared to 58.7%) to report being under pressure to increase productivity and take on new tasks, a situation that isn't likely to improve in the coming year: 60.1% of security pros (56.1% of all IT pros) said that they expected their workload and responsibility to increase in the next 12 months.

Among those who have been asked to increase productivity and/or take on new tasks, 79% of security pros said that their salary had not been adjusted to compensate for the added workload (though here they fared better than IT pros in general) and they were more likely than other IT professionals (60.9% vs 55.3%) to feel that their salary was not keeping pace with business growth and demands.

That's enough to make anyone want to jump ship.

Steve Traynor/CSO

Money talks

The grassy patch on the other side of the fence is looking mighty green to the 49.2% of security pros who said they are are either actively or passively looking for a new job outside their organization.

"With the shortage of security professionals and increased demand, the market definitely has allowed professionals to pursue new opportunities," says Hoffman.

Steve Traynor/CSO

73.9% of security pros (compared to 60.7% of all IT pros) said they had been approached by a hiring organization or headhunter about job opportunities. And only 8.5% of the security professionals who are not looking for a new job said that it is because the job market is poor or there are few opportunities (compared to 13.1% of all IT pros surveyed).

For security pros who are looking for a new job, the hardest part of their job search isn't knowing what they want from a new position, as it is for other IT professionals, but knowing how much compensation to ask for.

Security pros are far more likely than other IT professionals to have IT-related certifications (81.9% compared to 54%) and are more likely to believe that having certifications helped them land a job, earn a promotion or get raise (62.8% compared to 41.6%). But Hoffman and Reck say that certifications don't carry as much weight as skills and experience.

"Certifications are beneficial for those who are new to the profession," says Hoffman, who believes that "certifications provide a solid foundation and demonstrate one’s commitment to the profession. But they are not a must have."

Reck adds that while "certifications do have some value," for "most of [his] hires, [he is] worried only about the skills - can they do what I need them to do? A certification doesn’t play a role in that at all."

Hiring challenges

If you're an employer looking to lure top talent, it's pretty clear what levers you need to pull (79.7% of security pros said that a salary increase would convince them to change jobs), but that doesn't mean you don't have your work cut out for you.

According to an IDC survey of senior infosec executives, the majority of jobs that require less than five years of experience are filled within just three months. "But we seem to hit this tipping point when we look for more experienced security professionals," said Pete Lindstrom, vice president of security research with IDC's IT Executive Program. According to the report, 21% of jobs requiring 10+ years of experience take a year or more to fill and nearly half of jobs requiring 20+ years of experience take more than a year to fill.

[N]ot only are we facing a global scarcity in ‘security’ talent. there are many subfields that are even more understaffed.— Robb Reck

"One of the main misconceptions around the security industry is the idea of a 'security guy/gal'," says Reck. "The way it gets discussed is as though security is a single practice. In reality there are dozens or even hundreds of completely separate paths within the security industry, and many have little or no overlap with others. An excellent malware analyst would likely make a terrible security auditor, and a security awareness program designer can’t perform secure code reviews. So not only are we facing a global scarcity in ‘security’ talent. there are many subfields that are even more understaffed."

"In my program, I need security folks who are experts on the technologies they will be securing," says Reck. "So for my appsec team, they need to understand web development in an agile environment. My devops/engineering folks need to understanding the cloud computing environment we are in, and the devops tools we use. So I can’t simply find ‘a security person.’ I need someone who either already has deep knowledge in those technologies, or is hungry to gain that experience here at Ping."

"For a security professional, it takes years to learn the skills needed and gain real world experience that can make them effective in their job," Hoffman says. "To help explain to people what security professionals do, I often tell them in the world of IT, you have the following groups: networking, servers, desktop, applications and databases. Each of those groups has subject matter experts. In the world of security, you need to find someone with knowledge and experience in all of those areas. If you’re a CISO and find someone who has command of all of these areas, hire them right away and do everything you can to retain them. There are not many people who match this criteria, therefore companies typically look for highly skilled IT staff and train them in security. This is a legitimate and effective career path for IT staff to grow into the security space."

Career outlook

Both Hoffman and Reck say now is a great time for career advancement — or to make a transition to security. "More companies are looking for security leaders and even their first CISO," says Hoffman. "Even with a shortage of security leaders, companies are still filling those roles, often with a candidate who has never been a CISO before."

It is going to take 20 years to get where we need to be in having schools at all levels have security teachers and professors teach security to students so the workforce is stacked with security experts.— Jason Hoffman

But choosing a career in security isn't as simple as getting a degree. Reck says that while he recommends a career in security to anyone who asks, he says he "wouldn’t recommend something as general as 'go study security.'" Hoffman adds that "Although there are now some colleges offering Bachelor’s and Master’s degrees in security, as an industry we still could do more to help train our future security leaders straight out of college," says Hoffman. "It is going to take 20 years to get where we need to be in having schools at all levels have security teachers and professors teach security to students so the workforce is stacked with security experts."

But, oh, what an exciting 20 years it's going to be!

"Find a technology, or discipline within security that [you] are passionate about, and where [you] can really enjoy [yourself], then dive into that," says Reck. 'Don’t be a 'security person.' Be a devops security engineer, solving the problems with security in an AWS environment. Or be a security compliance expert, understanding the intricate details relevant compliance frameworks and how they can be used to make your company excellent. Or a secure java development guru, making standardized approaches to common problems."

"The key is to find a problem that you want to solve, and get after it in great detail," says Reck. "None of those problems will go away in the next decade. And if you aren't able to be a part of the solution for one of them, don’t worry, there will be another one right behind it that will keep you interested and busy, and well paid."

* For its 2016 IT Salary Survey, Computerworld polled 3,878 IT professionals, of which 138 respondents had security titles.